A storage device with hardened security features has a storage medium, an interface, and a controller. The interface is adapted to communicatively couple the storage device to a host system. The controller is within the storage device and is adapted to read and to write information to and from the storage medium. The controller is adapted to require a security partition authorization from a manufacturer of the storage device before executing a security partition creation command received over the interface.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A device comprising: a host computer system comprising a host processor; a data storage device comprising: a command interface configured to receive commands from the host computer system and a second computer communicatively coupled to the host computer system; a data storage medium; a data storage device controller coupled to the command interface and the data storage medium, the data storage device controller adapted to: create a security partition on the data storage medium when an authorization to create the security partition is received from the second computer along a direct secure connection that bypasses a host operating system while the host processor is executing the host operating system; and reject a request to create the security partition when the authorization is not received from the second computer.
2. The device of claim 1 wherein the data storage device further comprises a cryptography chip configured to authenticate the authorization, the cryptography chip coupled to the data storage device controller to indicate to the data storage device controller whether the authorization is authentic.
3. The device of claim 1 wherein the data storage device further comprises an existing security partition on the data storage medium and an authority table stored within the existing security partition, the authority table defining multiple permitted users that have privileges related to the existing security partition, wherein different users of the multiple permitted users may have different privileges related to the existing security partition.
4. The device of claim 1 wherein the security partition further comprises an area of the data storage medium that is hidden from the operating system.
5. The device of claim 1 wherein the data storage medium comprises multiple secure partitions, each of the multiple secure partitions for exclusive use by a specific authorized application.
6. The device of claim 1 wherein the data storage medium further comprises a master security partition having at least one security key, wherein the data storage device controller is configured to compare the at least one security key to a second security key received from the second computer to verify the second computer is allowed to issue the authorization to create the security partition on the data storage medium.
7. A device comprising a data storage controller configured to: receive a request to create a security partition on a data storage medium from a client system; instruct the client system to request authorization to create the security partition from a second computer and connect to the second computer through a secure tunnel; create the security partition when an authorization to create the security partition is received from the second computer through the secure tunnel; and reject the request to create the security partition when the authorization is not received from the second computer.
8. The device of claim 7 wherein the second computer comprises an authorization server communicatively coupled to the client system via a network.
9. The device of claim 8 wherein when the data storage controller creates the security partition the data storage controller initializes access controls to the security partition, the access controls including role-based access rights to the security partition.
10. The device of claim 9 wherein the authorization comprises a command authorizing the data storage controller to instantiate the security partition.
11. The data storage device of claim 7 further comprising a cryptography chip configured to indicate to the data storage controller whether the authorization is authentic by comparing a first security key stored in a secure area to a second security key received from the second computer.
12. The data storage device of claim 7 wherein the data storage medium comprises multiple secure partitions, each of the multiple secure partitions for exclusive use by a specific authorized application, and each of the multiple security partitions comprises an area of the data storage medium that is hidden from an operating system of the host computer.
13. A server comprising: an interface to receive data and commands from a network; a controller coupled to the interface and configured to: receive an authorization request to create a security partition on an external data storage device that is external to the server, the authorization request identifying a specific application requesting creation of the security partition, wherein a security partition comprises an area of a data storage medium of the external data storage device that has a restricted access and is used exclusively by a specific authorized application; determine whether an application requesting the authorization request is trusted; determine whether to issue the authorization based on the comparison; issue the authorization by sending an authorization indicator to the external data storage device when the requesting application is trusted; and reject the authorization by sending a rejection indicator to the external data storage device when the requesting application is not trusted.
14. The server of claim 13 further comprising the controller configured to determine if the requested security partition already exists and, when the requesting application is trusted, authorize use of the security partition for the specific authorized application when the security partition already exists.
15. The server of claim 13 further comprising the controller configured to establish a secure connection to send communications from the server, through the network and through a host computer of the data storage device, to the data storage device, to bypass an operating system of the host computer.
16. The server of claim 13 further comprising the controller configured to receive the authorization request from a second server communicatively coupled to the interface, wherein the external data storage device is part of a host system that is also external to the second server, and the authorization request from the second server comprises an authorization request to create a security partition on the external data storage device.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
May 10, 2005
February 28, 2012
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.